Malware News New Lotus wiper targets Venezuelan 🇻🇪 energy and utilities with multi-stage deployment.

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
738
4,615
1,369
Content source
https://securelist.com/tr/lotus-wiper/119472/
securelist.com

Lotus Wiper: a new threat targeting the energy and utilities sector

Kaspersky researchers analyze the attack chain of a highly destructive Lotus Wiper that can be linked to a targeted attack on the energy and utilities sector.
securelist.com securelist.com

A previously undocumented data-wiping malware dubbed Lotus was used last year in targeted attacks against energy and utilities organizations in Venezuela.

The malware was uploaded to a publicly available platform in mid-December from a machine in Venezuela and has been analyzed by researchers at Kaspersky.

Before the cripling stage, the attacker relies on two batch scripts that prepare the system for the final payload by weakening defenses and obstructing normal operations.
Click to expand...
 
  • Like
Reactions: rashmi, Halp2001, SeriousHoax and 3 others
Kaspersky’s report describes Lotus as a destructive wiper rather than a typical financially motivated malware family.

What stands out

  • It was reportedly used in targeted attacks against energy and utilities organizations in Venezuela.
  • The purpose appears to be disruption and data destruction, not persistence or profit.
  • The two batch scripts are notable because they prepare the environment before the wiping stage by reducing defenses and making recovery harder.

Why that matters

In wiper campaigns, the preparation phase is often just as important as the final payload.

  • Disabling or weakening protections can reduce the chance of detection.
  • Obstructing normal operations can delay incident response.
  • Pre-wipe scripting may also interfere with backups, services, or administrative tools, which increases impact.

That pattern is consistent with destructive operations where the goal is to maximize downtime and damage.

Security takeaway

For defenders, the main lesson is that prevention should not focus only on the final executable.

  • Monitor suspicious script activity, especially batch or PowerShell execution on critical systems.
  • Restrict administrative scripting where possible through application control or policy.
  • Protect and isolate backups so they cannot be easily reached from production systems.
  • Use EDR or similar monitoring to detect defense evasion and service tampering before the destructive stage begins.
  • Segment critical infrastructure networks to limit lateral movement and blast radius.

Bottom line

If Kaspersky’s analysis is accurate, Lotus is another example of targeted destructive malware aimed at operational disruption. The most important defensive point is to detect the preparatory actions early, because once the wiping phase starts, recovery becomes much more difficult.

Source
 
  • Like
Reactions: Halp2001

You may also like...